diff --git a/templates/athens-proxy/_deployment.tpl b/templates/athens-proxy/_deployment.tpl index 9a7b4cd..1e7c2e7 100644 --- a/templates/athens-proxy/_deployment.tpl +++ b/templates/athens-proxy/_deployment.tpl @@ -64,14 +64,41 @@ {{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistence.data.mountPath)) }} {{- end }} + +{{/* volumeMount (git config) */}} {{- if .Values.config.gitConfig.enabled }} {{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.gitconfig" "subPath" ".gitconfig" )) }} {{- end }} +{{/* volumeMount (netrc) */}} {{- if .Values.config.netrc.enabled }} {{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.netrc" "subPath" ".netrc" )) }} {{- end }} +{{/* volumeMount (ssh) */}} +{{- if and .Values.config.ssh.enabled }} +{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.config) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.configKey) 0)) }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/config" "subPath" "config" )) }} +{{- end }} + +{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0)) }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519" "subPath" "id_ed25519" )) }} +{{- end }} + +{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0)) }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519.pub" "subPath" "id_ed25519.pub" )) }} +{{- end }} + +{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0)) }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa" "subPath" "id_rsa" )) }} +{{- end }} + +{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0)) }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa.pub" "subPath" "id_rsa.pub" )) }} +{{- end }} + +{{- end }} + {{ toYaml (dict "volumeMounts" $volumeMounts) }} {{- end -}} @@ -88,30 +115,102 @@ {{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $claimName))) }} {{- end }} +{{/* volumes (git config) */}} +{{- $projectedSecretSources := list -}} + + {{- if .Values.config.gitConfig.enabled }} -{{- $projectedSources := list -}} {{- $itemList := list (dict "key" ".gitconfig" "path" ".gitconfig" "mode" 0644) }} {{- $configMapName := include "athens-proxy.configMap.gitConfig.name" . }} {{- if .Values.config.gitConfig.existingConfigMap.enabled }} {{- $itemList = list (dict "key" .Values.config.gitConfig.existingConfigMap.gitConfigKey "path" ".gitconfig" "mode" 0644) }} {{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }} {{- end }} -{{- $projectedSources = concat $projectedSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }} +{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }} -{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}} {{- end }} +{{/* volumes (netrc) */}} + {{- if .Values.config.netrc.enabled }} -{{- $projectedSources := list -}} {{- $itemList := list (dict "key" ".netrc" "path" ".netrc" "mode" 0600) }} {{- $secretName := include "athens-proxy.secrets.netrc.name" . }} {{- if .Values.config.netrc.existingSecret.enabled }} {{- $itemList = list (dict "key" .Values.config.netrc.existingSecret.netrcKey "path" ".netrc" "mode" 0600) }} {{- $secretName = .Values.config.netrc.existingSecret.secretName }} {{- end }} -{{- $projectedSources = concat $projectedSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }} +{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }} -{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}} +{{- end }} + +{{/* volumes (ssh) */}} +{{- if .Values.config.ssh.enabled }} + +{{- $itemList := list -}} +{{- $secretName := include "athens-proxy.secrets.ssh.name" . }} + +{{- if and .Values.config.ssh.existingSecret.enabled .Values.config.ssh.existingSecret.secretName }} +{{- $secretName = .Values.config.ssh.existingSecret.secretName }} + +{{- if gt (len .Values.config.ssh.existingSecret.configKey) 0 }} +{{- $configItem := dict "key" .Values.config.ssh.existingSecret.configKey "path" "config" "mode" 0600 }} +{{- $itemList = concat $itemList (list $configItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0 }} +{{- $idED25519Item := dict "key" .Values.config.ssh.existingSecret.id_ed25519Key "path" "id_ed25519" "mode" 0600 }} +{{- $itemList = concat $itemList (list $idED25519Item) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0 }} +{{- $idED25519PubItem := dict "key" .Values.config.ssh.existingSecret.id_ed25519PubKey "path" "id_ed25519.pub" "mode" 0644 }} +{{- $itemList = concat $itemList (list $idED25519PubItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0 }} +{{- $idRSAItem := dict "key" .Values.config.ssh.existingSecret.id_rsaKey "path" "id_rsa" "mode" 0600 }} +{{- $itemList = concat $itemList (list $idRSAItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0 }} +{{- $idRSAPubItem := dict "key" .Values.config.ssh.existingSecret.id_rsaPubKey "path" "id_rsa.pub" "mode" 0644 }} +{{- $itemList = concat $itemList (list $idRSAPubItem) }} +{{- end }} +{{- end }} + +{{- if not .Values.config.ssh.existingSecret.enabled }} +{{- if gt (len .Values.config.ssh.secret.config) 0 }} +{{- $configItem := dict "key" "config" "path" "config" "mode" 0600 }} +{{- $itemList = concat $itemList (list $configItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.secret.id_ed25519) 0 }} +{{- $idED25519Item := dict "key" "id_ed25519" "path" "id_ed25519" "mode" 0600 }} +{{- $itemList = concat $itemList (list $idED25519Item) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.secret.id_ed25519_pub) 0 }} +{{- $idED25519PubItem := dict "key" "id_ed25519.pub" "path" "id_ed25519.pub" "mode" 0644 }} +{{- $itemList = concat $itemList (list $idED25519PubItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.secret.id_rsa) 0 }} +{{- $idRSAItem := dict "key" "id_rsa" "path" "id_rsa" "mode" 0600 }} +{{- $itemList = concat $itemList (list $idRSAItem) }} +{{- end }} + +{{- if gt (len .Values.config.ssh.secret.id_rsa_pub) 0 }} +{{- $idRSAPubItem := dict "key" "id_rsa.pub" "path" "id_rsa.pub" "mode" 0644 }} +{{- $itemList = concat $itemList (list $idRSAPubItem) }} +{{- end }} +{{- end }} + +{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }} +{{- end }} + +{{- if gt (len $projectedSecretSources) 0 }} +{{- $projectedSecretVolume := dict "name" "secrets" "projected" (dict "sources" $projectedSecretSources) }} +{{- $volumes = concat $volumes (list $projectedSecretVolume) }} {{- end }} {{ toYaml (dict "volumes" $volumes) }} diff --git a/unittests/deployment/ssh.yaml b/unittests/deployment/ssh.yaml new file mode 100644 index 0000000..59aee68 --- /dev/null +++ b/unittests/deployment/ssh.yaml @@ -0,0 +1,221 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Deployment template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/athens-proxy/deployment.yaml +tests: +- it: Rendering default without mounted ssh secret + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/config + subPath: config + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519 + subPath: id_ed25519 + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519.pub + subPath: id_ed25519.pub + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa + subPath: id_rsa + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa.pub + subPath: id_rsa.pub + - notContains: + path: spec.template.spec.volumes + content: + name: secrets + projected: + sources: + - secret: + items: + - key: config + path: config + mode: 0644 + - key: id_ed25519 + path: id_ed25519 + mode: 0600 + - key: id_ed25519.pub + path: id_ed25519.pub + mode: 0644 + - key: id_rsa + path: id_rsa + mode: 0600 + - key: id_rsa.pub + path: id_rsa.pub + mode: 0644 + name: athens-proxy-unittest-ssh + +- it: Rendering default with mounted ssh config + set: + config.ssh.enabled: true + persistence.enabled: true + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/config + subPath: config + - contains: + path: spec.template.spec.volumes + content: + name: secrets + projected: + sources: + - secret: + items: + - key: config + path: config + mode: 0600 + name: athens-proxy-unittest-ssh + +- it: Rendering default with mounted ssh keys + set: + config.ssh.enabled: true + config.ssh.secret.id_ed25519: foo + config.ssh.secret.id_ed25519_pub: bar + config.ssh.secret.id_rsa: foo + config.ssh.secret.id_rsa_pub: bar + persistence.enabled: true + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/config + subPath: config + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519 + subPath: id_ed25519 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519.pub + subPath: id_ed25519.pub + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa + subPath: id_rsa + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa.pub + subPath: id_rsa.pub + - contains: + path: spec.template.spec.volumes + content: + name: secrets + projected: + sources: + - secret: + items: + - key: config + path: config + mode: 0600 + - key: id_ed25519 + path: id_ed25519 + mode: 0600 + - key: id_ed25519.pub + path: id_ed25519.pub + mode: 0644 + - key: id_rsa + path: id_rsa + mode: 0600 + - key: id_rsa.pub + path: id_rsa.pub + mode: 0644 + name: athens-proxy-unittest-ssh + +- it: Rendering with custom ssh secret + set: + config.ssh.enabled: true + config.ssh.existingSecret.enabled: true + config.ssh.existingSecret.secretName: "my-custom-secret" + config.ssh.existingSecret.configKey : "my-config-key" + config.ssh.existingSecret.id_ed25519Key : "my-private-ed25519-key" + config.ssh.existingSecret.id_ed25519PubKey : "my-public-ed25519-key" + config.ssh.existingSecret.id_rsaKey : "my-private-rsa-key" + config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key" + persistence.enabled: true + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/config + subPath: config + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519 + subPath: id_ed25519 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_ed25519.pub + subPath: id_ed25519.pub + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa + subPath: id_rsa + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: secrets + mountPath: /root/.ssh/id_rsa.pub + subPath: id_rsa.pub + - contains: + path: spec.template.spec.volumes + content: + name: secrets + projected: + sources: + - secret: + items: + - key: my-config-key + path: config + mode: 0600 + - key: my-private-ed25519-key + path: id_ed25519 + mode: 0600 + - key: my-public-ed25519-key + path: id_ed25519.pub + mode: 0644 + - key: my-private-rsa-key + path: id_rsa + mode: 0600 + - key: my-public-rsa-key + path: id_rsa.pub + mode: 0644 + name: my-custom-secret \ No newline at end of file diff --git a/values.yaml b/values.yaml index 147fd6f..b6f2af5 100644 --- a/values.yaml +++ b/values.yaml @@ -185,18 +185,32 @@ config: # machine api.github.com [octocat] password [PAT] ssh: - ## @param config.ssh.existingSecret.enabled TODO:. - ## @param config.ssh.existingSecret.secretName TODO: + ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system. + enabled: false + + ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files. + ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files. + ## @param config.ssh.existingSecret.configKey The name of the key inside the secret where the content of the SSH client config file is stored. + ## @param config.ssh.existingSecret.id_ed25519Key The name of the key inside the secret where the content of the id_ed25519 key file is stored. + ## @param config.ssh.existingSecret.id_ed25519PubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. + ## @param config.ssh.existingSecret.id_rsaKey The name of the key inside the secret where the content of the id_rsa key file is stored. + ## @param config.ssh.existingSecret.id_rsaPubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. existingSecret: enabled: false + secretName: "" + configKey: "config" + id_ed25519Key: "id_ed25519" + id_ed25519PubKey: "id_ed25519.pub" + id_rsaKey: "id_rsa" + id_rsaPubKey: "id_rsa.pub" - ## @param config.ssh.secret.annotations Additional annotations of the secret containing the database credentials. - ## @param config.ssh.secret.labels Additional labels of the secret containing the database credentials. - ## @param config.ssh.secret.files TODO: - ## @skip config.ssh.secret.id_ed25519 TODO: - ## @skip config.ssh.secret.id_ed25519_pub TODO: - ## @skip config.ssh.secret.id_rsa TODO: - ## @skip config.ssh.secret.id_rsa_pub TODO: + ## @param config.ssh.secret.annotations Additional annotations of the secret containing the public and private SSH key files. + ## @param config.ssh.secret.labels Additional labels of the secret containing the public and private SSH key files. + ## @param config.ssh.secret.config The content of the SSH client config file. + ## @skip config.ssh.secret.id_ed25519 The content of the private SSH ed25519 key. + ## @skip config.ssh.secret.id_ed25519_pub The content of the public SSH ed25519 key. + ## @skip config.ssh.secret.id_rsa The content of the private SSH RSA key. + ## @skip config.ssh.secret.id_rsa_pub The content of the public SSH RSA key. secret: annotations: {} labels: {}